Merge branch 'master' into ola_fulfill

frontend/templates/base.html

@@ -85,7 +85,7 @@
     </div>
 
 <div class="launch_top">
-The <a href="/work/81724/">first unglued book</a> is on the way!  Please consider supporting our <a href="/campaigns/ending#2">three active campaigns</a>.
+The <a href="/work/81724/">first unglued book</a> is on the way!  Please consider supporting our <a href="/campaigns/ending#2">four active campaigns</a>.
 </div>
     {% block topsection %}{% endblock %}
     {% block content %}{% endblock %}

frontend/templates/work.html

@@ -209,7 +209,7 @@ $j(document).ready(function(){
 							    </div>
                             {% else %}{% if work in request.user.wishlist.works.all %}
                                 <div class="remove-wishlist-workpage">
-                                    <span id="w{{ work_id }}">Remove This</span>
+                                    <span id="w{{ work_id }}">Remove from Wishlist</span>
                                 </div>
                             {% else %}
                                 <div class="add-wishlist">

payment/amazon.py

@@ -220,14 +220,36 @@ def amazonPaymentReturn(request):
         status = request.GET['status']
         reference = request.GET['callerReference']
         token = request.GET['tokenID']
-        
 
-        # BUGUBG - Should we verify the signature here?
-        #
+        # validate the signature
+        
+        uri = request.build_absolute_uri()
+        parsed_url = urlparse.urlparse(uri)
+        
+        connection = FPSConnection(FPS_ACCESS_KEY, FPS_SECRET_KEY, host=settings.AMAZON_FPS_HOST)
+        
+        # Check the validity of the IPN
+        resp = connection.verify_signature("%s://%s%s" %(parsed_url.scheme, 
+                                                         parsed_url.netloc, 
+                                                         parsed_url.path),
+                                                         urllib.urlencode(request.GET))
+        
+        if not resp[0].VerificationStatus == "Success":
+            # Error, ignore this 
+            logging.error("amazonPaymentReturn cannot be verified with get data: ")
+            logging.error(request.GET)
+            return HttpResponseForbidden()
+        
+        logging.debug("amazonPaymentReturn sig verified:")
+        logging.debug(request.GET)
+        
+        # validation of signature ok
         # Find the transaction by reference, there should only be one
-        # We will catch the exception if it does not exist
-        #
-        transaction = Transaction.objects.get(secret=reference)
+        try:
+            transaction = Transaction.objects.get(secret=reference)
+        except:
+            logging.info("transaction with secret {0}".format(reference))
+            return HttpResponseForbidden()
         
         logging.info("Amazon Co-branded Return URL called for transaction id: %d" % transaction.id)
         logging.info(request.GET)

settings/jenkins.py

@@ -57,7 +57,7 @@ GOOGLE_DISPLAY_NAME = 'unglue it!'
 
 # you'll need to register a GoogleBooks API key
 # https://code.google.com/apis/console
-GOOGLE_BOOKS_API_KEY = 'AIzaSyBE36z7o6NUafIWcLEB8yk2I47-8_5y1_0'
+GOOGLE_BOOKS_API_KEY = 'AIzaSyD4CFqxbxTpSQP55q0q1uTGzLBsDki1s4E'
 
 PAYPAL_USERNAME = ''
 PAYPAL_PASSWORD =  ''

static/js/wishlist.js

@@ -40,7 +40,7 @@ $j().ready(function() {
     contentblock.on("click", "div.create-account", function () {
         var span = $j(this).find("span");
         var work_url = span.attr('title')
-        window.location = "/accounts/login/?next=" + work_url;
+        top.location = "/accounts/login/?next=" + work_url;
     });
 
 	// in panel view on the supporter page we want to remove the entire book listing from view upon wishlist-remove